upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-05-14 18:09:28 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/pkg/controlplane
History
Antonio Ojea adbf3b5aa5
Add granular authorization for DRA ResourceClaim status updates 
This commit introduces the DRAResourceClaimGranularStatusAuthorization
feature gate (Beta in 1.36) to enforce fine-grained authorization checks
on ResourceClaim status updates.

Previously, 'update' permission on 'resourceclaims/status' allowed modifying
the entire status. To enforce the principle of least privilege for DRA
drivers and the scheduler, this change introduces synthetic subresources and
verb prefixes:

- 'resourceclaims/binding': Required to update 'status.allocation' and
  'status.reservedFor'.
- 'resourceclaims/driver': Required to update 'status.devices'. Evaluated
  on a per-driver basis using 'associated-node:<verb>' (for node-local
  ServiceAccounts) or 'arbitrary-node:<verb>' (for cluster-wide controllers).
2026-03-26 13:22:09 +00:00
..
apiserver KEP-5832: Implement PodGroup admission (#137464) 2026-03-19 21:32:34 +05:30
controller Fix logspam in leaderelection controller. 2026-03-17 18:05:20 -07:00
reconcilers Enforce that all resources set resourcePrefix 2025-09-04 00:11:15 +02:00
doc.go remove import doc comments 2024-12-02 16:59:34 +01:00
import_known_versions.go feat: implements Storage Version Migration API in-tree 2024-03-08 04:18:56 +00:00
import_known_versions_test.go Update SVM to Beta 2025-10-29 19:36:11 +00:00
instance.go Add granular authorization for DRA ResourceClaim status updates 2026-03-26 13:22:09 +00:00
instance_test.go Add test to ensure reset fields is applied consistently 2026-03-12 17:43:04 -04:00
OWNERS Use emeritus_* 2024-08-22 17:48:27 -04:00